Yes, there are plenty of ways you can compromise your online identity by (mis-) using a dating website. A scenario not everyone considers, however, is having your password stolen and used to hijack other aspects of your online identity.

If this sounds like a nightmare scenario, it is. And it happened to over 300 users of popular Vancouver-based dating website PlentyOfFish.com last week when a hacker compromised the site’s security and retrieved real names, passwords and e-mail addresses for a small subset of the site’s 11,000,000 users.

The breach highlights an error that PlentyOfFish and many other websites make: storing user passwords in plain text. To be truly secure, passwords should be encrypted using what is called a one-way cryptographic hash function. Such a function makes it possible to verify a user’s password without storing the original, plain-text password; in the event the password database is stolen or otherwise compromised, it is impossible for a hacker to infer what the original password for a user was.

In the case of PlentyOfFish.com, as well as other websites that employ poor password storage practices, a security breach means a perpetrator has retrieved not only sensitive personal information, like your name, e-mail address, and physical address, but your unencrypted password as well. A hacker will then be able to attempt to use this password on other websites and, all too often, be successful in those efforts because the user has used the same password across multiple websites.

To protect yourself against scenarios like this, follow a simple rule: make sure to use a unique password for every website you use. To make keeping track of so many passwords manageable, use your web browser’s integrated password manager or a standalone password manager such as KeePass (Windows) or 1Password (OSX). In the event one website’s security is compromised, you won’t have to worry about the breach spreading into other parts of your digital footprint.

Comments

Or, create an algorithm for coming up with passwords: for instance, take all the consonants of a site’s name, and add !243 to the end. Of course, a hacker might guess your process. But in these large-scale attacks, it is unlikely that anyone would go to the trouble.